• Server Side Request Forgery (SSRF) is a vulnerability that
appears when an attacker has the ability to create requests
from the vulnerable server.
• Creates requests from the vulnerable server to
• SSRF usually attacks targets on the internal systems that are
located behind a firewall and normally inaccessible from the
• With SSRF it's possible to access these systems.
• Using a protocol supported by available URI schemas, you can
communicate with services running on other protocols.
• By providing URLs to unexpected hosts or ports, attackers can
make it appear that the server is sending the request, possibly
bypassing access controls such as firewalls that prevent the
attackers from accessing the URLs directly.
• The server can be used as a proxy to conduct port scanning of
hosts in internal networks, use other URLs such as that can
access documents on the system (using file://).
– Attacker sends Packet A to Service A
– Service A sends Packet B to service B
– Services can be on same or different hosts
– Possible to manipulate some fields of packet B within packet A
– Different SRF attacks depend on how many fields can be
Smuggling Requests using services running to communicate.
With SSRF it's also possible to access services from the same server that is listening
on the loopback interface.
• The difference between various SSRF attacks depends on how
much value of packet B we can control with packet A. So there
are 4main types of SSRF attacks:
• –Trusted SSRF : When we can send requests (Packet B)
to remote services but only to those which are
• –Remote SSRF : When we can send requests (Packet B) to any
remote IP and port. This type has 3 subtypes depending on
how much data we can control
– Simple Remote SSRF: No control on application level of Packet B
– Partial Remote SSRF : Control on some fields of application level of Packet B
– Full Remote SSRF : Full control on application level of Pack
cURL - extensive support of URL schemas other than HTTP/HTTPS.
If the vulnerable server is using cURL to make HTTP requests, it's possible to use
the dict URL schema to make requests to any host on any port and send custom
The URL dict://locahost:11211/stat will cause the server to connect to localhost on
port 11211 and send the string "stat".
Port 11211 is the default port used by Memcached which is not accessible from
With this URL it's possible to connect to the local Memcached server and issue
Normally, Also, Memcached doesn't support any type of authentication and
therefore the attacker can issue any type of command.
SSRF Cheat Sheet